fix: avoid deleting root filesystem when KANIKO_DIR not set

Author: johnstcn

README.md

@@ -47,6 +47,11 @@ $ vim .devcontainer/Dockerfile
 
 Exit the container, and re-run the `docker run` command... after the build completes, `htop` should exist in the container! 🥳
 
+> **Note:** Envbuilder performs destructive filesystem operations! To guard against accidental data
+> loss, it will refuse to run if it detects that KANIKO_DIR is not set to a specific value.
+> If you need to bypass this behaviour for any reason, you can bypass this safety check by setting
+> `FORCE_SAFE=true`.
+
 ### Git Branch Selection
 
 Choose a branch using `GIT_URL` with a _ref/heads_ reference. For instance:

cmd/envbuilder/main.go

@@ -31,7 +31,6 @@ func main() {
 		SilenceErrors: true,
 		RunE: func(cmd *cobra.Command, args []string) error {
 			options := envbuilder.OptionsFromEnv(os.LookupEnv)
-
 			var sendLogs func(ctx context.Context, log ...agentsdk.Log) error
 			agentURL := os.Getenv("CODER_AGENT_URL")
 			agentToken := os.Getenv("CODER_AGENT_TOKEN")

envbuilder.go

@@ -597,8 +597,7 @@ func Run(ctx context.Context, options Options) error {
 
 		// It's possible that the container will already have files in it, and
 		// we don't want to merge a new container with the old one.
-		err = util.DeleteFilesystem()
-		if err != nil {
+		if err := maybeDeleteFilesystem(options.ForceSafe); err != nil {
 			return nil, fmt.Errorf("delete filesystem: %w", err)
 		}
 
@@ -1270,3 +1269,20 @@ func findDevcontainerJSON(options Options) (string, string, error) {
 
 	return "", "", errors.New("can't find devcontainer.json, is it a correct spec?")
 }
+
+// maybeDeleteFilesystem wraps util.DeleteFilesystem with a guard to hopefully stop
+// folks from unwittingly deleting their entire root directory.
+func maybeDeleteFilesystem(force bool) error {
+	kanikoDir, ok := os.LookupEnv("KANIKO_DIR")
+	if !ok || strings.TrimSpace(kanikoDir) != MagicDir {
+		if force {
+			_, _ = fmt.Fprintf(os.Stderr, "WARNING! BYPASSING SAFETY CHECK! THIS WILL DELETE %s!\n", kanikoDir)
+		} else {
+			_, _ = fmt.Fprintf(os.Stderr, "KANIKO_DIR is not set to %s. Bailing!\n", MagicDir)
+			_, _ = fmt.Fprintln(os.Stderr, "To bypass this check, set FORCE_SAFE=true.")
+			return errors.New("safety check failed")
+		}
+	}
+
+	return util.DeleteFilesystem()
+}

integration/integration_test.go

@@ -44,6 +44,42 @@ const (
 	testImageUbuntu    = "localhost:5000/envbuilder-test-ubuntu:latest"
 )
 
+func TestForceSafe(t *testing.T) {
+	t.Parallel()
+
+	t.Run("Safe", func(t *testing.T) {
+		t.Parallel()
+		srv := createGitServer(t, gitServerOptions{
+			files: map[string]string{
+				"Dockerfile": "FROM " + testImageAlpine,
+			},
+		})
+		_, err := runEnvbuilder(t, options{env: []string{
+			"GIT_URL=" + srv.URL,
+			"KANIKO_DIR=/not/envbuilder",
+			"DOCKERFILE_PATH=Dockerfile",
+		}})
+		require.ErrorContains(t, err, "delete filesystem: safety check failed")
+	})
+
+	// Careful with this one!
+	t.Run("Unsafe", func(t *testing.T) {
+		t.Parallel()
+		srv := createGitServer(t, gitServerOptions{
+			files: map[string]string{
+				"Dockerfile": "FROM " + testImageAlpine,
+			},
+		})
+		_, err := runEnvbuilder(t, options{env: []string{
+			"GIT_URL=" + srv.URL,
+			"KANIKO_DIR=/not/envbuilder",
+			"FORCE_SAFE=true",
+			"DOCKERFILE_PATH=Dockerfile",
+		}})
+		require.NoError(t, err)
+	})
+}
+
 func TestFailsGitAuth(t *testing.T) {
 	t.Parallel()
 	srv := createGitServer(t, gitServerOptions{